ACME server blocking me

thend20 · November 30, 2023, 2:17am

connection timeouts for any certbot commands

requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7f5fa7bfc310>, 'Connection to acme-v02.api.letsencrypt.org timed out. (connect timeout=45)'))
2023-11-30 01:19:40,973:ERROR:certbot._internal.log:An unexpected error occurred:
2023-11-30 01:19:40,973:ERROR:certbot._internal.log:requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7f5fa7bfc310>, 'Connection to acme-v02.api.letsencrypt.org timed out. (connect timeout=45)'))

curl confirms timeout, firewall, block

curl -4L https://acme-v02.api.letsencrypt.org/directory
curl: (28) Failed to connect to acme-v02.api.letsencrypt.org port 443 after 134863 ms: Connection timed out

curl -v also shows ipv4 blocked so it skips right over to ipv6 (which i dont have)

curl -v https://acme-v02.api.letsencrypt.org/directory
*   Trying 172.65.32.248:443...
*   Trying 2606:4700:60:0:f53d:5624:85c7:3a2c:443...
* Immediate connect fail for 2606:4700:60:0:f53d:5624:85c7:3a2c: Network is unreachable

Whats the standard procedure for requesting your IP be unblocked from the acme servers?

jcjones · November 30, 2023, 2:25am

We /block/ extremely few IPs. That said, the list is nonzero.

DM me your IP, I'll check later this evening.

petercooperjr · November 30, 2023, 2:29am

Blocks from the Let's Encrypt side don't generally manifest as a connect timeout anyway. Usually those symptoms are really that your networking isn't working correctly for routing to Let's Encrypt's servers.

If other sites work, and it feels like it's "just" Let's Encrypt, then confirm that your routing to 172.65 is correct. We've seen a few cases where a routing table somewhere confused it with the private-use IP range 172.16.0.0/12.

thend20 · November 30, 2023, 2:29am

There's no DM option maybe because my account is too new? Can you see my IP as an admin for this post?

I'm not too worried about the IP being exposed though, since its public knowledge for the DNS of my domain...

100.6.146.198

thend20 · November 30, 2023, 2:32am

Well I guess docker could be getting in the way

172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.19.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-4d4e405f8fef
172.19.0.0      0.0.0.0         255.255.0.0     U     428    0        0 br-4d4e405f8fef
172.23.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-1e43ed49b07a

But those netmasks don't seem to add up for 172.65

jcjones · November 30, 2023, 3:07am

I have 25 IP blocks in place at the CDN, and this IPv4 address is not one of them. (9 of them are IPv6 subnets)

rg305 · November 30, 2023, 3:33am

@thend20, what shows?:
traceroute -T -p 443 acme-v02.api.letsencrypt.org

system · December 30, 2023, 3:34am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Timeout Error after connect Help	7	1306	March 14, 2019
ConnectTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443) Help	2	2137	April 29, 2021
requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory Help	7	9287	November 25, 2022
ConnectTimeout: HTTPSConnectionPool (host='acme-v02.api.letsencrypt.org', port=443) Help	12	9954	October 12, 2018
Certbot - URLLIB Read Timeout Help	7	2237	July 3, 2017

ACME server blocking me

Related topics